Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

726
Views
0
Helpful
5
Replies
Tulga Bat
Beginner
Beginner
‎08-20-2013 08:40 PM
‎08-20-2013 08:40 PM

ASA 5510 Issue

I am receiving below message on the Internet Firewall and losing connection, mostly upload side like Outlook, Facebook, Youtube ...

6      9:38:45     106015      53142     173.252.112.23     443     Deny TCP (no connection) from 10.*.*.*/53142 to 173.252.112.23/443 flags RST on interface inside

i've tried "sysopt connection timewait" command and still no success, any idea?

Labels:
0 Helpful
5 REPLIES 5
vishaw jasrotia
Beginner
Beginner
‎08-20-2013 11:25 PM
‎08-20-2013 11:25 PM

hey

please paste your running configuration

Thanks

Vishaw

0 Helpful
Tulga Bat
Beginner
Beginner
In response to vishaw jasrotia
‎08-21-2013 08:17 PM
‎08-21-2013 08:17 PM

Actually there is not much configs on it

0 Helpful
Julio Carvajal
Advisor
Advisor
In response to Tulga Bat
‎08-21-2013 08:50 PM
‎08-21-2013 08:50 PM

Hello Tulgabat,

As you can see the ASA is receiving a RESET packet from the Inside client after the connection has been torndown.

My recommendations: Do captures on both interfaces of the ASA:

cap capin interface inside match tcp host inside_host_ip_address host outside_host_ip_address

cap capout interface outside match tcp host outside_nat_ip_address host outside_host_ip_address

Then attempt to connect and finally provide the following to us

show cap capin

show cap capout

show logging | include x.x.x.x (Inside_host_IP address) Hopefully you have loggin enabled

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Tulga Bat
Beginner
Beginner
In response to Julio Carvajal
‎08-21-2013 11:01 PM
‎08-21-2013 11:01 PM

# sh cap capout

   : 14:02:44.673091 202.131.225.97.6153 > 74.117.178.90.80: P 2135110166:2135                                            111132(966) ack 650230300 win 16436

   : 14:02:44.870438 74.117.178.90.80 > 202.131.225.97.6153: . ack 2135111132                                             win 13

  : 14:02:44.874466 74.117.178.90.80 > 202.131.225.97.6153: P 650230300:65023                                            0647(347) ack 2135111132 win 13

  : 14:48:39.055279 202.131.225.97.47817 > 74.117.178.90.80: F 2964315953:296                                            4315953(0) ack 3956491086 win 16560

  : 14:48:39.253648 74.117.178.90.80 > 202.131.225.97.47817: F 3956491086:395                                            6491273(187) ack 2964315954 win 6

  : 14:48:39.254747 202.131.225.97.47817 > 74.117.178.90.80: R 2964315954:296                                            4315954(0) ack 3956491273 win 0

0 Helpful
Julio Carvajal
Advisor
Advisor
In response to Tulga Bat
‎08-21-2013 11:22 PM
‎08-21-2013 11:22 PM

Hello,

Based on this it seems the Internal host is closing the connection:

  28: 14:48:39.055279 202.131.225.197.47817 > 74.117.178.90.80: F 2964315953:296                                            4315953(0) ack 3956491086 win 16560

  29: 14:48:39.253648 74.117.178.90.80 > 202.131.225.197.47817: F 3956491086:395                                            6491273(187) ack 2964315954 win 6

  30: 14:48:39.254747 202.131.225.197.47817 > 74.117.178.90.80: R 2964315954:296                                            4315954(0) ack 3956491273 win 0

TCP FIN packets being negotiated to close the session and afterwards the computer sending a reset

Check my blog at http:laguiadelnetworking.com  and subscribe so you can get daily information about networking.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Latest Contents
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad